Update ELB creation code to reflect new SSLNegotiationPolicyType behavio...

ELB.md

@@ -26,7 +26,14 @@
             map_port('HTTPS', 443, 'HTTP', 81, 'snake-oil')
 
             # Applies to all HTTPS/SSL listeners
-            disallowed_ciphers(%w[ RC4-SHA ])
+            allowed_ciphers(%w[ Protocol-SSLv3 Protocol-TLSv1 RC4-MD5 RC4-SHA ])
+
+            # If AWS tries to add other ciphers automatically because "they know
+            # best", and you really don't want that cipher (e.g. the cipher is
+            # flagged as problematic by SSLLabs, nessus, etc.) you can explicitly
+            # disallow the cipher from your HTTPS/SSL listeners thusly.
+            disallowed_ciphers(%w[ AES128-SHA ])
+            # PROTIP: The disallowed_ciphers call is usually unnecessary
 
             # Health check that is made against ALL running instances
             health_check do
@@ -78,15 +85,18 @@ These `knife cluster` commands are not associated with updates of the Chef or IA
 
 ## SSL policy
 
-The SSL policy control in Ironfan is very rudimentary. You may control which ciphers are explicitly disallowed as follows
+The SSL policy control in Ironfan is very rudimentary. You may control which ciphers are explicitly allowed or disallowed as follows
 
     elastic_load_balancer "sparky-elb" do
       ...
-      disallowed_ciphers(%w[ RC4-SHA ])
+      allowed_ciphers(%w[ Protocol-SSLv3 Protocol-TLSv1 RC4-MD5 RC4-SHA ])
+      disallowed_ciphers(%w[ AES128-SHA ])
       ...
     end
 
-Note that the default behavior is to disallow ciphers that are hypothetically vulnerable to the [BEAST attack](http://vnhacker.blogspot.com/2011/09/beast.html). You probably don't want or need to change it.
+Note that the default behavior is to allow a standard "safe" list of ciphers supported by most modern browsers, and to disallow ciphers that are hypothetically vulnerable to the [BEAST attack](http://vnhacker.blogspot.com/2011/09/beast.html) and RC4 attacks (http://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks). You probably don't want or need to change it.
+
+NOTE: If you do call allowed_ciphers or disallowed_ciphers, you will be overriding the built-in defaults and will need to specify the complete list of allowed or disallowed ciphers instead of just the ones you want to add or remove from the list.
 
 ## How do port mappings work?
 

lib/ironfan/dsl/ec2.rb

@@ -182,8 +182,15 @@ def to_fog
 
         end
 
-        # SSL ciphers susceptible to the BEAST attack
-        BEAST_VULNERABLE_CIPHERS = %w[
+        # AWS has wonky logic about which ciphers are included in a policy.
+        # Some ciphers need to be explicitly excluded or else they will be
+        # included, and vice versa. For completeness we protect ourselves
+        # from this behavior the best we can by having both an explicit
+        # include (allow) and exclude (disallow) list.
+
+        # Remove ciphers which are vulnerable to the BEAST attack.
+        # http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
+        DISALLOWED_SSL_CIPHERS = %w[
           Protocol-SSLv2
           ADH-AES128-SHA
           ADH-AES256-SHA
@@ -193,12 +200,9 @@ def to_fog
           ADH-DES-CBC3-SHA
           ADH-RC4-MD5
           ADH-SEED-SHA
-          AES128-SHA
-          AES256-SHA
           DES-CBC-MD5
           DES-CBC-SHA
           DES-CBC3-MD5
-          DES-CBC3-SHA
           DHE-DSS-AES128-SHA
           DHE-DSS-AES256-SHA
           DHE-RSA-AES128-SHA
@@ -226,11 +230,45 @@ def to_fog
           PSK-AES128-CBC-SHA
           PSK-AES256-CBC-SHA
           RC2-CBC-MD5
+        ] +
+        # Remove all RC4 ciphers
+        # http://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
+        %w[
+          ADH-RC4-MD5
+          EXP-ADH-RC4-MD5
+          EXP-KRB5-RC4-MD5
+          EXP-KRB5-RC4-SHA
+          EXP-RC4-MD5
+          KRB5-RC4-MD5
+          KRB5-RC4-SHA
+          PSK-RC4-SHA
+          RC4-MD5
+          RC4-SHA
+        ]
+
+        # TODO: Move over to Elliptic Curve Cipher Suites (ECDHE ciphers) as
+        # soon as ELB supports them.
+        ALLOWED_SSL_CIPHERS = %w[
+          Protocol-SSLv3
+          Protocol-TLSv1
+          AES128-SHA
+          AES256-SHA
+          CAMELLIA128-SHA
+          CAMELLIA256-SHA
+          DES-CBC3-SHA
+          DHE-DSS-CAMELLIA128-SHA
+          DHE-DSS-CAMELLIA256-SHA
+          DHE-DSS-SEED-SHA
+          DHE-RSA-CAMELLIA128-SHA
+          DHE-RSA-CAMELLIA256-SHA
+          DHE-RSA-SEED-SHA
+          SEED-SHA
         ]
 
         field  :name,               String
         field  :port_mappings,      Array, :default => []
-        magic  :disallowed_ciphers, Array, :default => BEAST_VULNERABLE_CIPHERS
+        magic  :allowed_ciphers,    Array, :default => ALLOWED_SSL_CIPHERS
+        magic  :disallowed_ciphers, Array, :default => DISALLOWED_SSL_CIPHERS
         member :health_check,       HealthCheck
 
         def map_port(load_balancer_protocol = 'HTTP', load_balancer_port = 80, internal_protocol = 'HTTP', internal_port = 80, iam_server_certificate = nil)
@@ -240,11 +278,11 @@ def map_port(load_balancer_protocol = 'HTTP', load_balancer_port = 80, internal_
         end
 
         def ssl_policy_to_fog
-          result = Hash[ *disallowed_ciphers.collect { |c| [ c, false ] }.flatten ]
-          return {
-            :name       => Digest::MD5.hexdigest("#{disallowed_ciphers.sort.join('')}"),
-            :attributes => result,
-          }
+          result = { }
+          allowed_ciphers.each { |a| result[a] = true }
+          disallowed_ciphers.each { |d| result[d] = false }
+          uuid = Digest::MD5.hexdigest("ALLOWED:#{allowed_ciphers.sort.join('')};DISALLOWED:#{disallowed_ciphers.sort.join('')}")
+          return { :name => uuid, :attributes => result }
         end
 
         def listeners_to_fog(cert_lookup)